valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

att&ck tags review: windows/process_creation part 6

Browse Source
This commit is contained in:
grikos 2020-09-05 20:35:21 +03:00
parent bd5026f6b9
commit 961e4eef4c
20 changed files with 72 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/windows/process_creation/win_spn_enum.yml
View File

@ -8,8 +8,8 @@ author: Markus Neis, keepwatch
date: 2018/11/14
tags:
- attack.credential_access
- attack.t1208
- attack.t1558.003
- attack.t1208 # an old one
logsource:
category: process_creation
product: windows

2
rules/windows/process_creation/win_susp_bcdedit.yml
View File

@ -10,8 +10,8 @@ tags:
- attack.defense_evasion
- attack.t1070
- attack.persistence
- attack.t1067
- attack.t1542.003
- attack.t1067 # an old one
logsource:
category: process_creation
product: windows

6
rules/windows/process_creation/win_susp_bginfo.yml
View File

@ -7,11 +7,13 @@ references:
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Beyu Denis, oscd.community
date: 2019/10/26
modified: 2019/11/04
modified: 2020/09/05
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.005
- attack.defense_evasion
- attack.t1218
- attack.t1202
level: medium
logsource:
category: process_creation

8
rules/windows/process_creation/win_susp_cdb.yml
View File

@ -1,17 +1,19 @@
title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: experimental
description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
description: Launch 64-bit shellcode from a debugger script file using cdb.exe.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
author: Beyu Denis, oscd.community
date: 2019/10/26
modified: 2019/11/04
modified: 2020/09/05
tags:
- attack.defense_evasion
- attack.execution
- attack.t1106
- attack.defense_evasion
- attack.t1218
- attack.t1127
level: medium
logsource:
category: process_creation

10
rules/windows/process_creation/win_susp_certutil_command.yml
View File

@ -4,8 +4,8 @@ status: experimental
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with
the built-in certutil utility
author: Florian Roth, juju4, keepwatch
modified: 2019/01/22
date: 2019/01/16
modified: 2020/09/05
references:
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://twitter.com/subTee/status/888102593838362624
@ -41,9 +41,15 @@ fields:
tags:
- attack.defense_evasion
- attack.t1140
- attack.command_and_control
- attack.t1105
- attack.s0189
- attack.s0160
- attack.g0007
- attack.g0010
- attack.g0045
- attack.g0049
- attack.g0075
- attack.g0096
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high

4
rules/windows/process_creation/win_susp_certutil_encode.yml
View File

@ -7,6 +7,10 @@ references:
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
author: Florian Roth
date: 2019/02/24
modified: 2020/09/05
tags:
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows

6
rules/windows/process_creation/win_susp_cmd_http_appdata.yml
View File

@ -7,11 +7,13 @@ references:
- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
author: Florian Roth
date: 2019/01/16
modified: 2020/09/05
tags:
- attack.execution
- attack.t1059
- attack.t1059.005
- attack.t1059.003
- attack.t1059.001
- attack.command_and_control
- attack.t1105
logsource:
category: process_creation
product: windows

10
rules/windows/process_creation/win_susp_compression_params.yml
View File

@ -5,12 +5,14 @@ description: Detects suspicious command line arguments of common data compressio
references:
- https://twitter.com/SBousseaden/status/1184067445612535811
tags:
- attack.exfiltration
- attack.t1020
- attack.t1002
- attack.t1560
- attack.collection
- attack.t1560.001
- attack.exfiltration # an old one
- attack.t1020 # an old one
- attack.t1002 # an old one
author: Florian Roth, Samir Bousseaden
date: 2019/10/15
modified: 2020/09/05
logsource:
category: process_creation
product: windows

5
rules/windows/process_creation/win_susp_comsvcs_procdump.yml
View File

@ -7,6 +7,7 @@ references:
- https://twitter.com/SBousseaden/status/1167417096374050817
author: Modexp (idea)
date: 2019/09/02
modified: 2020/09/05
logsource:
category: process_creation
product: windows
@ -24,9 +25,11 @@ fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.t1218.011
- attack.credential_access
- attack.t1003
- attack.t1003.001
- attack.t1003 # an old one
falsepositives:
- unknown
level: medium

8
rules/windows/process_creation/win_susp_control_dll_load.yml
View File

@ -4,15 +4,13 @@ status: experimental
description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
author: Florian Roth
date: 2017/04/15
modified: 2020/09/05
references:
- https://twitter.com/rikvduijn/status/853251879320662017
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1085
- car.2013-10-002
- attack.t1218
- attack.t1574.002
- attack.t1085 # an old one
- attack.t1218.011
logsource:
category: process_creation
product: windows

7
rules/windows/process_creation/win_susp_copy_lateral_movement.yml
View File

@ -6,11 +6,14 @@ references:
- https://twitter.com/SBousseaden/status/1211636381086339073
author: Florian Roth
date: 2019/12/30
modified: 2020/09/05
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1105
- attack.t1021.002
- attack.command_and_control
- attack.t1105
- attack.s0106
- attack.t1077 # an old one
logsource:
category: process_creation
product: windows

2
rules/windows/process_creation/win_susp_copy_system32.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
author: Florian Roth, Markus Neis
date: 2020/07/03
modified: 2020/09/05
references:
- https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
logsource:
@ -11,6 +12,7 @@ logsource:
product: windows
tags:
- attack.defense_evasion
- attack.t1036.003
detection:
selection:
CommandLine|contains:

2
rules/windows/process_creation/win_susp_covenant.yml
View File

@ -8,8 +8,8 @@ author: Florian Roth
date: 2020/06/04
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
- attack.t1086 # an old one
logsource:
category: process_creation
product: windows

3
rules/windows/process_creation/win_susp_crackmapexec_execution.yml
View File

@ -8,9 +8,10 @@ tags:
- attack.execution
- attack.t1047
- attack.t1053
- attack.t1086
- attack.t1059.003
- attack.t1059.001
- attack.s0106
- attack.t1086 # an old one
author: Thomas Patzke
date: 2020/05/22
logsource:

7
rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml
View File

@ -7,10 +7,11 @@ references:
- https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
tags:
- attack.execution
- attack.t1086
- attack.defense_evasion
- attack.t1027
- attack.t1059.001
- attack.defense_evasion
- attack.t1027.005
- attack.t1027 # an old one
- attack.t1086 # an old one
author: Thomas Patzke
date: 2020/05/22
logsource:

7
rules/windows/process_creation/win_susp_csc.yml
View File

@ -6,9 +6,14 @@ references:
- https://twitter.com/SBousseaden/status/1094924091256176641
author: Florian Roth
date: 2019/02/11
modified: 2020/09/05
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
- attack.defense_evasion
- attack.t1036
- attack.t1500
- attack.t1218.005
logsource:
category: process_creation
product: windows

3
rules/windows/process_creation/win_susp_csc_folder.yml
View File

@ -9,11 +9,10 @@ references:
- https://twitter.com/gN3mes1s/status/1206874118282448897
author: Florian Roth
date: 2019/08/24
modified: 2019/12/17
modified: 2020/09/05
tags:
- attack.defense_evasion
- attack.t1500
- attack.t1027
logsource:
category: process_creation
product: windows

3
rules/windows/process_creation/win_susp_curl_download.yml
View File

@ -4,13 +4,14 @@ status: experimental
description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
author: Florian Roth
date: 2020/07/03
modified: 2020/09/05
references:
- https://twitter.com/reegun21/status/1222093798009790464
logsource:
category: process_creation
product: windows
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1105
detection:
selection1:

5
rules/windows/process_creation/win_susp_curl_fileupload.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: Detects a suspicious curl process start the adds a file to a web request
author: Florian Roth
date: 2020/07/03
modified: 2020/09/05
references:
- https://twitter.com/d1r4c/status/1279042657508081664
- https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
@ -11,8 +12,8 @@ logsource:
category: process_creation
product: windows
tags:
- attack.defense_evasion
- attack.t1105
- attack.exfiltration
- attack.t1567
detection:
selection:
Image|endswith: '\curl.exe'

3
rules/windows/process_creation/win_susp_curl_start_combo.yml
View File

@ -6,9 +6,12 @@ references:
- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
author: Sreeman
date: 2020/01/13
modified: 2020/09/05
tags:
- attack.execution
- attack.t1218
- attack.command_and_control
- attack.t1105
logsource:
category: process_creation
product: windows